The only thing harder than planning for an incident, is having to explain why you didn't." A number of organisations believe that, somehow, they are different and unlikely to experience or suffer from an unforeseen incident—they have an "it will never happen to me" attitude.
More often than not, they are wrong. No organisation wants to be affected by an incident or expects it might occur, but that does not mean that they should not consider and plan a response in case something unexpected does happen.
Developing and implementing a response to incidents and disruptions is at the core of business continuity. It can determine how your organisation is perceived and whether your business survives.
It consists of ensuring that appropriate plans are developed and communicated; the required infrastructure and facilities are implemented to support these plans; and completing the necessary risk treatments to achieve the desired business continuity strategy, as earlier defined and agreed upon.
No matter what the incident or serious disruption, there are five overlapping stages of a response, each of which needs to be considered and included within the planning. These stages are mentioned below.
Emergency: The immediate response and actions that should be considered and, if necessary, taken, such as the evacuation of a building;
Incident Management: The management and coordination of a response to an incident, for example, deciding priorities and communicating with stakeholders.
Continuity: The initial response to ensure that essential activities can continue at their minimum level (as defined in the continuity requirements analysis).
Recovery: The actions and activities required to recover additional important activities and increase the essential activities up to a sustainable level above the minimum level.
Resumption: The activities and actions required to return the organisation back to its desired state of operation, which is considered to be "normal" operations.
This stage is sometimes referred to as the "return to normal" stage. Within each of these stages, most organisations will need to consider activities that fall within either a strategic, tactical or operational context. These three levels should be considered and addressed for each of the five response stages above.
Once you have discussed and decided upon appropriate responses for your organisation, the assigned individuals to be involved in each context (strategic, tactical and operational) should be identified, along with how decisions, actions and communications will operate between them. The responses and corresponding structure should then be documented.
The purpose of a Business Continuity Plan (BCP) is to provide guidance, rather than being too prescriptive, detailed and complex. This will defeat its purpose, reduce the likelihood of it being used and make it time consuming to maintain.
A BCP should include all the necessary and essential information, but be concise, accessible and easy to follow. There is no "one size fits all" definitive structure that is appropriate for all organisations, but there are numerous examples of BCP's on the internet. The plans which are appropriate for you will depend upon your organisation. However, Business and BCM knowledge should be combined to determine the optimum Business Continuity response structure for your organisation, and each plan should have an owner, be regularly reviewed, tested and validated — then updated, if necessary.
Within large organisations it is reasonable to expect there to be a number of different plans covering aspects of the recovery stages, for example a Crisis/Incident Management Plan, Business continuity/recovery plan for each department, IT disaster Recovery plan and a "return to normal" plan.
These may be complimented with specialist plans or procedures to deal with different types of incidents, such as evacuation, product recall, stakeholder/media communication, social media management, and pandemics (not to be confused with specific threat scenarios). Within small organisations, or SMEs, a number of these plans may be combined.
Infrastructure and facilities
All Business Continuity responses and strategies will require resources, including people, infrastructure and facilities, whether the strategy is to operate from someone's home or commercial premises. Someone will need to do something and will need to use something to do it.
The BIA and CRA previously undertaken will identify the essential items required and how quickly they are required; and the agreed strategy will define how they should be provided. The essential part in planning and implementing the response is to ensure these requirements can be provided when needed, and the necessary provisions are implemented and tested to ensure this can happen.
Technology is at the core of most businesses these days, and most organisations struggle to operate without it, whether it be a large data centre with multiple, complex servers, data storage and communication links, or whether it is simply a GSM, laptop and internet connection. Developing a response includes implementing the strategy for technology and proving its capability to support the business during the response stages.
This may include having spare GSMs, a backup data centre, replication of data storage, spare maintenance parts, additional supplies of PCs, laptops and printers or duplicate communication links.
In addition to the technology, people require somewhere to work and facilities to assist their working. This is true of a Crisis/Incident response team and also the people required to continue essential business activities. Facilities may include office space, desks, chairs, telephones, fax, photocopier, filing cabinets and such. If the organisation is involved in manufacturing, there may also be a requirement for plant and machinery. These should be identified and provisions implemented to ensure they can be available when required.
As part of achieving the desired and agreed business continuity strategy, it is important that the agreed treatment for business continuity risks have been implemented, thereby reducing the likelihood or impact if certain incidents or disruptions do occur.
The response plans should integrate into the risk treatment plans and ensure methods are implemented to identify when a risk materialises and the point at which escalation is required in case it develops into an incident or disruption which requires activation of part or all of the response plans.
The risk treatments should also be regularly reviewed and monitored to ensure they are still appropriate and achieve the desired results.